[Zope] Re: Zope/Plone logon security strategy etc

michael nt milne michael.milne at gmail.com
Wed Jan 25 18:11:08 EST 2006


Yes I agree, having checked on basic http authentication I need SSL.
Basic http and cookie auth is insecure. I just feel that zope should
have this facility even with a self signed certificate, so that you
could do it without Apache and had more options. The option to even
just have it on for site logon would be good.

On 1/25/06, Tino Wildenhain <tino at wildenhain.de> wrote:
> michael nt milne schrieb:
> > Cookie authentication can't be secure. Also I have my doubts about
> > http authentication. I'll check though. Basicallx you want really good
> > encryption on any logon and password etc.
>
> You want ssl for all. There is no security if you have "logon" encrypted
> in a stateless protocol as HTTP is. Basically with HTTP you identify
> for every single request. So if you login "encrypted" and say, handle
> the session with a one time key (You could write a userfolder or plugin
> for PAS to do that) the one time key is still vulnerable if not sent
> over encrypted channel. So Using apache as ssl proxy is easy and secure
> and does exactly what you want. There is not really "an extra step"
> because you set up apache or the like anyway on a moderate to heavy used
> site as frontent to zope.
>
> As for the security aspect, a cooky with auth credentials is equally
> "secure" as Basic Auth. There is really not much of a difference -
> just other HTTP header-name.
>
> Regards
> Tino
>


More information about the Zope mailing list